diff --git a/.gitea/workflows/deploy-verso-prod.yml b/.gitea/workflows/deploy-verso-prod.yml
index 5d2ac99ccb..af8219a54a 100644
--- a/.gitea/workflows/deploy-verso-prod.yml
+++ b/.gitea/workflows/deploy-verso-prod.yml
@@ -329,6 +329,8 @@ jobs:
                       # (CE default): admin creates accounts / sends invites.
                       - name: OVERLEAF_ENABLE_PROJECT_PYTHON_VENV
                         value: "true"
+                      - name: OVERLEAF_LATEX_SHELL_ESCAPE
+                        value: "true"
                       # (SMTP email vars are loaded below via envFrom.)
                     # SMTP for password-reset / invite emails. All
                     # OVERLEAF_EMAIL_* vars come from the optional 'verso-smtp'
diff --git a/server-ce/Dockerfile-base b/server-ce/Dockerfile-base
index 574b7ed1cf..6e1aaba46e 100644
--- a/server-ce/Dockerfile-base
+++ b/server-ce/Dockerfile-base
@@ -25,6 +25,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
       unattended-upgrades \
       build-essential wget net-tools unzip time poppler-utils optipng strace nginx git python3 python-is-python3 zlib1g-dev libpcre3-dev gettext-base libwww-perl ca-certificates curl gnupg \
       qpdf \
+      inkscape \
 # upgrade base-image, batch all the upgrades together, rather than installing them on-by-one (which is slow!)
 &&  unattended-upgrade --verbose --no-minimal-upgrade-steps \
 # install Node.js https://github.com/nodesource/distributions#nodejs
diff --git a/server-ce/config/settings.js b/server-ce/config/settings.js
index 864b62261c..9d87799cd9 100644
--- a/server-ce/config/settings.js
+++ b/server-ce/config/settings.js
@@ -50,6 +50,7 @@ const TMP_DIR = '/var/lib/overleaf/tmp'
 const settings = {
   clsi: {
     optimiseInDocker: process.env.OPTIMISE_PDF === 'true',
+    latexShellEscape: process.env.OVERLEAF_LATEX_SHELL_ESCAPE === 'true',
   },
 
   brandPrefix: '',
diff --git a/services/clsi/app/js/LatexRunner.js b/services/clsi/app/js/LatexRunner.js
index f705edfb27..24ed2e690c 100644
--- a/services/clsi/app/js/LatexRunner.js
+++ b/services/clsi/app/js/LatexRunner.js
@@ -197,6 +197,10 @@ function _buildLatexCommand(mainFile, opts = {}) {
     command.push(...opts.flags)
   }
 
+  if (Settings.clsi?.latexShellEscape) {
+    command.push('-shell-escape')
+  }
+
   // TeX Engine selection. A .tex project may carry a non-LaTeX compiler value
   // (e.g. 'quarto', the fork-wide default for Project.compiler) because the
   // runner is chosen by file extension, not by this setting. In that case fall